Without some changes t the HIPS module, customers will not utilize it.

In the last week I have 3 friends who use Eset. They are not experts in the field of security products but they know how to ensure updates are correct and what the basic modules mean.


I installed the RC for them. Only one had a clue as to what HIPS are and even with that did not understand a thing about creating rules.

All agreed that unless it is something preset, they would disable it for the future.

Wilders members are not the ones that Eset makes the crux of their money off of. Just normal joes and sometimes a few savy customers. My fear is, without some customization to this module, the majority of customers are not even going to show it the time of day and in its current state was a total waste of money for being developed.

Now, I myself want to see the released product with all this corrected because that is when all will see the value of it without having to completely understand it.

 

Yep. I think that's what it's boiling down to. Although I didn't agree at first, the implication of 'RC' is that we're looking at a product that's close to release, when clearly there's no way that it is. I'm a little disheartened - enough to look at the market, but it's also why I'm now back with EAV v4: Lightweight and gives what I term 'essential protection' (+ common sense).

 

That's what automatic mode is for - it's indended for users who don't have a clue as how to respond to HIPS prompts. Advanced users can create custom rules or switch to interactive mode.

 

Marcos, just what does it do in automatic mode since it says it needs defined rules and there are not any. Are you sure that was not suppose to be, "Disabled" instead of "Automatic."

 

Of course, automatic mode will never protect against threats as good as in interactive mode. It's impossible that the program could decide automatically between actions carried out on purpose by the user or legit software and actions carried out by malware and thus make correct decisions. This holds true for any module, be it firewall or HIPS. If the software itself could make 100% correct decisions then yes, automatic mode would protect against every single threat. However, as we all know there's no such a security solution with 100% detection of threats.
As I have stated elsewhere, HIPS is subject to evolution. There is already a set of pre-defined rules to protect crucial system processes that are invisible to the user. Newer HIPS modules will be released on a regular basis to improve HIPS protection even more for common users. Also HIPS will get more tightly binded to other protection modules over time.

 

That sounds good. As long as there is a future for it, and average users, you get a from me.

Thank you for answering this.

 

I'll be using the automatic setting. It seems to be working as I ran MRU-Blaster and the HIPS correctly warned me that startup settings were modified.
I would hope the HIPS would block unwarranted attempts to modify startup settings.

 

Only if you create a rule for that. In the next build of the HIPS module, notifications about startup settings modifications will be disabled by default as they may be annoying for most users.

 

Marcos, thank you.

 

May I know how HIPS rules created for the Automatic Mode?Via virus definition updates?The Automatic mode is so silent.

 

I also want to know the pre-set rules in the automatic mode. I just tell lots of users in my forum that the automatic mode is somehow useful and don't give up hope!

 

I think for the HIPS, a white/black list actions is the better solution..

An action list to protect, the Host file, the windows kernel etc etc.. And an advertising when a program change start-up settings (many malware make this action).

 

Marcos

I use a limited right user profile on my pc with windows XP. There is no HIPS notification in that kind of user profile. I never saw one....

Will i be notified if HIPS is alert in a limited right profile ?

 

i enabled some startup items trough ccleaner and i was notified in a limited account

 

I am surprised you can do this with no administrator rights !! What version of windows do you have ?

here with XP, I am sure I cant do that

 

XP SP3 here i did not changed the settings in Smart Security

 

is probably faster and safer block malware using the cloud than the HIPS

 

for what i see interractive mode are too boring (for very start up there more than 20 prompt windows that appears at every start up on my ring that really annoying) and with automatic with user rules it's always enabled (must defined the rules after)... I think that 's not the good way to do it:

Maybe a automatic mode with just one prompt to defined the rules (after the first start of the application) so we can disable what we don't want and don't be boring after.

 

To bring these two functions together is the best option. Using the cloud to define the HIPS's follow-on suggestion to the user.

 

blocking a file, just by reputation from users, is unsafe as this could create false positives

 

reputation is only show the status and help user decide. and the suggestion is to accelerate the speed of TS.net thenhelp user get the auto analysis result at avery short time andhave the result on a pop up window.

 

auto analysis

 

I believe there must be an auto analysis system to help the analyst in eset's lab. we can make use of it in the cloud, not only by reputation.

 

unknown applications could be restricted based on a risk level

this restriction feature must be off by default, as that may be annoying for the average user

 

HIPS pop-ups in interactive mode can be enhanced by displaying reputation info from Threatsense.net cloud.